Linux on IBM Z News

2020 Linux on IBM Z and LinuxONE Client Workshop November 9-13 What’s New in Linux on IBM Z and LinuxONE — Stefan Raspl IBM Germany Research & Development

The following are trademarks of the International Business Machines Corporation in the United States and/or other countries. AIX* DB2* HiperSockets* MQSeries* PowerHA* RMF System z* zEnterprise* z/VM* BladeCenter* DFSMS HyperSwap NetView* PR/SM Smarter Planet* System z10* z10 z/VSE* CICS* EASY Tier IMS OMEGAMON* PureSystems Storwize* Tivoli* z10 EC Cognos* FICON* InfiniBand* Parallel Sysplex* Rational* System Storage* WebSphere* z/OS* DataPower* GDPS* Lotus* POWER7* RACF* System x* XIV* * Registered trademarks of IBM Corporation The following are trademarks or registered trademarks of other companies. Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. Java and all Java based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. OpenStack is a trademark of OpenStack LLC. The OpenStack trademark policy is available on the OpenStack website. TEALEAF is a registered trademark of Tealeaf, an IBM Company. Windows Server and the Windows logo are trademarks of the Microsoft group of countries. Worklight is a trademark or registered trademark of Worklight, an IBM Company. UNIX is a registered trademark of The Open Group in the United States and other countries. * Other product and service names might be trademarks of IBM or other companies. Notes: Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here. IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply. All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions. This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area. All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography. This information provides only general descriptions of the types and portions of workloads that are eligible for execution on Specialty Engines (e.g, zIIPs, zAAPs, and IFLs) ("SEs"). IBM authorizes customers to use IBM SE only to execute the processing of Eligible Workloads of specific Programs expressly authorized by IBM as specified in the “Authorized Use Table for IBM Machines” provided at www.ibm.com/systems/support/machine_warranties/machine_code/aut.html (“AUT”). No other workload processing is authorized for execution on an SE. IBM offers SE at a lower price than General Processors/Central Processors because customers are authorized to use SEs only to process certain types and/or amounts of workloads as specified by IBM in the AUT.

● Linux on IBM Z Distributions ● IBM z15 and LinuxONE III ● Kernel & Other Packages ● Containers ● KVM

See www.ibm.com/systems/z/os/linux/resources/testedplatforms.html for latest updates and details, including certified Linux distributions by machine. IBM Z / © 2019 IBM Corporation 4 Linux on IBM Z Linux on IBM Z Distributions: SUSE

● SUSE Linux Enterprise Server 15 ● SUSE Linux Enterprise Server 12 – – 07/2018 SLES 15 GA: Kernel 4.12, GCC 7.1 / 7.3 10/2014 SLES12 GA: Kernel 3.12, GCC 4.8 – 12/2019 SLES12 SP5: Kernel 4.12, GCC 4.8 – 07/2020 SLES15 SP2: Kernel 5.3. GCC 7.5 / 9.3 ● EOS 31 Oct. 2024; LTSS: 31 Oct. 2027 ● EOS 31 July 2028; LTSS: 31 July 2031 ● SUSE Linux Enterprise Server 11 – 03/2009 SLES11 GA: Kernel 2.6.27, GCC 4.3.3 – 07/2015 SLES11 SP4: Kernel 3.0, GCC 4.3.4

● EOS 31 Mar. 2019; LTSS: 31 Mar. 2022

● For further details on SLES lifecycles, see https://www.suse.com/en-en/lifecycle/

● Red Hat Enterprise Linux 8 ● Red Hat Enterprise Linux 7 – – 05/2019 RHEL 8 GA: Kernel 4.18, GCC 8.2.1 06/2014 RHEL 7 GA: Kernel 3.10, GCC 4.8 – 09/2020 RHEL 7 Update 9 – 11/2020 RHEL 8 Update 3 – EOS 30 Jun. 2024; ELS: tbd – EOS: May 2029; ELS: tbd ● Red Hat Enterprise Linux 6 – 11/2010 RHEL 6 GA: Kernel 2.6.32, GCC 4.4.0 – 06/2018 RHEL 6 Update 10 – EOS 30 Nov. 2020; ELS: 30 June 2024

● Red Hat Enterprise Linux 5 – 03/2007 RHEL 5 GA: Kernel 2.6.18, GCC 4.1.0 – 09/2014 RHEL 5 Update 11 – EOS 31 Mar. 2017; ELS: 30 Nov. 2020

● Ubuntu 20.04 (Focal Fossa) ● Ubuntu 18.04 (Bionic Beaver) – 04/2018 GA: Kernel 4.15, GCC 7.2.0, LTS-Release – 04/2020 GA: Kernel 5.4, GCC 9.3.0, LTS-Release – 08/2019 Ubuntu 18.04.3 – 08/2020 Ubuntu 20.04.1: Kernel 4.15/4.18 GCC 7.2.0 – EOS: April 2025; ESM: Apr 2030 – EOS: April 2023; ESM: Apr 2028 ● Ubuntu 16.04 (Xenial Xerus) – 04/2016 GA: Kernel 4.4, GCC 5.3.0+, LTS-Release – 02/2019 Ubuntu 16.04.06 LTS – EOS: April 2021; ESM: Apr 2024

● Lifecycle – Regular releases every 6 months and supported for 9 months – LTS releases every 2 years and supported for 5 years – LTS enablement stack will provide newer kernels within LTS releases

IBM z15 IBM LinuxONE III

● 19” industry standard form factor

● New on-chip compression acceleration

• 14nm SOI technology • 17 layers of metal as IBM z14 • 5.2 GHz

• 12 cores per CP-chip 1 core • Increased cache sizes: – 2x L2 on-chip – 1.4x L4 NEW • 14% single thread performance improvement • 40TB max memory IBM Z / © 2019 IBM Corporation 10 • 190 usable cores IBM z15 IBM z15 Single Frame IBM LinuxONE III Machine Type: 8562 Machine Type: 8562 Model T02 Offerings Model LT2

Processor • Up to 6 cores for CP and up to 65 IFLs • 14% Single Thread Performance Improvement • 14% maximum system capacity growth over z14 ZR1 • 19” frame with 8U or 16U Reserved Space • New on-chip functions – Integrated Accelerator for zEDC – for more efficient storage of data

Memory • Up to 2X more RAIM Memory - 16 TB Max Per System

To the Data • Faster SSL/TLS handshake performance on T02 with Crypto Express7S compared to z14 ZR1 with Crypto Express6S

. Linux Distributions . z/VM Hypervisor – Red Hat Enterprise Linux 8.0 (z stream if needed) – z/VM 7.1 – Red Hat Enterprise Linux 7.7.z – z/VM 6.4 – Red Hat Enterprise Linux 6.10.z – SUSE Linux Enterprise Server 15 SP1 . KVM Hypervisor (maintweb if needed) – Red Hat Enterprise Linux 8.0 (z stream if needed) – SUSE Linux Enterprise Server 12 SP4 maintweb – Red Hat Enterprise Linux 7.6.z alt – SUSE Linux Enterprise Server 11 SP4 – (LTSS required) SUSE Linux Enterprise Server 15 SP1 (maintweb if needed) – Canonical Ubuntu 18.04 LTS – SUSE Linux Enterprise Server 12 SP4 – Canonical Ubuntu16.04 LTS (maintweb) – Canonical Ubuntu 20.04 LTS – Canonical Ubuntu 18.04 LTS – Canonical Ubuntu 16.04 LTS Install z15 with the Linux environment you use today!

● Reported with new feature flags in /proc/cpuinfo – vxp – vxe2

● Examples for use of new vector instructions: – Vector alignment hints – Vector Byte and element swaps – Vector substring search in strstr() and memmem()

● Exploited (among others) in – GCC 9.1 – glibc 2.30 – LLVM 9.0.0

● Data compress and uncompress through new instruction

● Compression equivalent to gzip -1 Compression Time w/ 4 IFLs -1 is fastest, -9 slowest, default is -6 ● Can be exploited e.g. by zlib, gzip, Java et al ● Compress data with zlib on IBM z15 with 4 processors up to 42x faster as compared to

software compression 33.9x 30.3x 24x 42x E.coli bible.txt world192.txt Canterbury.tar ● Linux enablement: Source data file – Java: Use Java 8 SR6 FP16 on any Linux distribution minigzip -1 w/ software compression – Reported with new feature flag in /proc/cpuinfo: dflt minigzip -1 w/ Integrated Accelerator for zEDC – Use env variable DFLTCC_LEVEL_MASK to enable for arbitrary compression levels – See here for further details on usage

● New Message Security Assist MSA9 for Elliptic Curve Cryptography (ECC)

● Supports – message authentication – generation of elliptic curve keys – scalar multiplication z15 Processor Unit ● Supported curves: ● Used with SSL/TLS protocol – ECDSA (sign/verify) P256, P384, P521 Ed – securing client-server network 25519, Ed448 connection – ECDH (key exchange) P256, P384, P521, – handshake establishes the secure X25519, X448 connection ● Performance ● TLS v1.2 and v1.3 support ECDH (key – Up to 20x key exchange operations exchange) and ECDSA (signature) – Up to 38x sign operations – Up to 10x verify operations IBM Z / © 2019 IBM Corporation 15 IBM z15 Support: Secure Execution

Without secure execution: Guest memory and state at risk of inside attacks

With secure execution: Guest memory protected and state shielded by ultravisor

IBM Z / © 2019 IBM Corporation 17 IBM z15 Support: Secure Execution (continued) 15 8.3 20.04 KVM SP2 . Allows users to run their Linux workloads with . What is IBM Secure Execution for Linux? maximum privacy by protecting system memory. – Orderable feature of IBM z15 or LinuxONE III (feature code 115) . Not even the system administrator can access – End-to-end memory protection realized in customer data hardware ⇒ Protection against insider attacks – Trusted firmware controlling the separation and isolation of virtual machines . Allows customers to run sensitive workloads on – CA-certified public private keys to form a chain of and off premise with the same level of data trust protection . What else is needed? . Reduces the efforts of a cloud service provider to – By the machine owner: a Linux operating system establish and document procedures for with KVM supporting IBM Secure Execution (RHEL compliance and certification 8.3, SLES 15 SP2, Ubuntu 20.04) – By the workload owner: a Linux operating system which supports running as KVM guest in an IBM Secure Execution virtual machine (RHEL 7.8, RHEL 8.2, SLES 12 SP5, SLES 15 SP2, Ubuntu 20.04) IBM Z / © 2019 IBM Corporation 18 15 8.1 IBM z15 Support: Secure Boot for SCSI IPL 19.10 SP2

. Ensure that only code is loaded during IPL that is . /sys/firmware/ipl/has_secure indicates – signed by a trusted distribution vendor support (currently: Red Hat, SUSE or Canonical) . /sys/firmware/ipl/secure indicates IPL – unmodified using secure boot

. Kernel image and zipl boot record must be . zipl option secure=”auto/0/1” signed 0 disable secure boot 1 enforce secure boot . zipl tool creates signature entries for SCSI IPL auto enable secure boot if system supports it and image/stage3 signed . New switch on HMC enables secure boot . Support available in . Firmware checks signatures and stops IPL on – Kernel 5.3 mismatch

● 15 (New) Crypto Express7S (CEX7S) 8.2 20.04 SP2 ● Toleration: Treated as a CEX6S (supported by latest releases of RHEL 7, RHEL 8, SLES 12, SLES 15, Ubuntu 18.04) ● Exploitation: RHEL 8.2, SLES 15 SP2, Ubuntu 20.04

● FICON Express16SA ● Same performance as FICON Express16S+ ● Exploited transparently, no distro support required

● New RoCE Express2.1 10 and 25 GbE ● (New) Now up to 16 features per system

● OSA-Express7S 25 GbE SR1.1 ● (New) 10 and 1 GbE features in addition to 25 GbE now available

● 12 OSA-Express5S, OSA-Express6S and OSA-Express7S 18.04 8.0 15 SP4 ● New feature: VNICC characteristics providing promiscuous mode. ● Firmware update required ● Supported by SLES 12 SP4 or later, SLES 15, RHEL 8, Ubuntu 18.04 or later

15 ● 19.10 8.2 LPAR z/VM KVM Kernel Address Space Layout Randomization (kernel 5.2) SP2 – Security improvements by making the address of the kernel harder to predict

● CPU-MF Counters for z15 (kernel 5.3) 12 15 18.04 7.8 8.1 LPAR – Adds Measurement Facility (MF) counters for ECC SP5 SP2 – Access using lscpumf command: # lscpumf -c|fgrep ECC_ r50 ECC_FUNCTION_COUNT r51 ECC_CYCLES_COUNT r52 ECC_BLOCKED_FUNCTION_COUNT r53 ECC_BLOCKED_CYCLES_COUNT

LPAR z/VM KVM ● Kprobes on ftrace (kernel 5.6) 20.04 8.3 – Improves kprobes performance by using ftrace infrastructure instead of exception based probing for function entry probes.

● 12 Extended performance counters for z15 (kernel 5.7) 20.10 7.8 8.2 15 LPAR SP5 – Adds Measurement Facility (MF) counters for TLB, caches, deflate, and others

15 ● 20.04 8.2 LPAR z/VM KVM In-kernel crypto: SHA3 support (kernel 5.4) SP2 – Use CPACF to compute SHA3 hashes

15 ● 20.04 8.2 LPAR z/VM KVM pkey/paes_s390: support for CCA AES cipher keys (kernel 5.4) SP2 – Cipher keys are an alternative form of CCA secure keys that achieve the highest level of security – AES cipher keys are recommended for protected key dm-crypt if used with z14 or later

● pkey/paes_s390: support for EP11 AES key (kernel 5.6) 20.04 8.3 LPAR z/VM KVM – Allows to use protected key dm-crypt for Linux systems with access to CryptoExpress adapters in EP11 mode

● paes_s390: cipher self-test (kernel 5.6) 20.04 8.3 LPAR z/VM KVM – Run the AES self test suite of the kernel automatically whenever the module is loaded, as required for a FIPS 140-2 certification IBM Z / © 2019 IBM Corporation 23 Linux Kernel – Block Device Support

● 15 Thin Provisioning Base Support for DASD (kernel 5.3) 19.10 8.2 LPAR z/VM SP2 – Use with DASD devices configured for thin provisioning on storage server: ● Not all disk space is allocated in the storage server when the disk is empty ● Disk space gets allocated only if in use – Use dasdfmt options -M quick or --mode quick ● Formats first two tracks of disk only ● Significantly speeds up formatting process – Note: Slow write performance for the first write of each newly used track

● Obtain FCP channel diagnostics data (kernel 5.5) 20.10 LPAR z/VM – FCP channel diagnostic data is available through sysfs attributes in the directory /sys/bus/ccw/drivers/zfcp//diagnostics/

● Display fabric name for FCP (kernel 5.7) 20.10 8.3 LPAR z/VM – Use new attribute /sys/class/fc_host//fabric_name to query the name of the connected Fibre Channel fabric.

● Display IBM Fibre Channel Endpoint Security information for FCP (kernel 5.7) 15 8.3 LPAR z/VM 20.10 SP2 – Capabilities of the FCP channel providing the FCP device bus-ID: /sys/bus/ccw/drivers/zfcp//fc_security – Authentication and encryption of connection between FCP device and remote port: /sys/bus/ccw/drivers/zfcp//0x/fc_security

● NVMe IPL Support (kernel 5.8) 15 20.10 8.3 LPAR – Non-Volatile Memory express (NVMe) enables clients to have on-board embedded SP2 storage through PCIe without DASD or Tape. – Gets storage into our box (hyper-converged infrastructure)

● 15 Improve invalid frame handling (kernel 5.5) 8.3 LPAR z/VM 20.10 SP2 – Process valid frames within receive buffers containing invalid ones

● 15 Support HiperSockets Multi-Write (kernel 5.5) 8.2 LPAR z/VM 20.04 SP2 – Send multiple frames for the same target with a single instruction – Saves CPU cycles

● SMC-R High Availability Support (kernel 5.8) 20.10 8.3 LPAR z/VM – Extends existing Linux support to utilize multiple RoCE Express adapters for high availability setups, fully compatible with z/OS.

● SMC-Dv2 Support (kernel 5.10) LPAR z/VM – Supports peers in any IP subnet, and simplifies configuration (PNetIDs no longer required)

● HiperSockets Converged Interface (kernel 5.10) LPAR – Creates a single logical segment spanning HiperSockets and LAN, using HiperSockets for all attached peers.

● s390-tools v2.15 (10/2020) ● qclib v2.2.1 (10/2020) – Userspace tools for use with the Linux kernel and – C library providing information on system, its device drivers on IBM Z capacity, and virtualization layers – Homepage: – Latest changes: https://github.com/ibm-s390-tools/s390-tools ● Support for zCX environment – v2.15.1 supports Linux kernel 5.9 ● Added new commands zname and zhypinfo ● New tool: lsstp ● zkey key repository can import EKMF Enterprise ● Open Cryptoki v3.15 (10/2020) key managment server keys – Implements the Cryptoki API as defined by the ● cpacfstats: Add CPACF ECC operation counts PKCS#11 specification ● See CHANGELOG for further details – Homepage: ● smc-tools v1.3.1 (09/2020) https://github.com/opencryptoki/opencryptoki/ – – Utilities in support of SMC-R and SMC-D Latest Changes: ● Conform to PKCS#11 3.0 Baseline Provider – Latest changes: profile ● Documented connection failure error codes ● p11sak tool: add remove-key command version ● Misc tool improvements ● CCA: Support key wrapping

● Development focus on GCC and LLVM

● IBM z15 support available in GCC 9.1 and LLVM 9.0.0 or later as follows: – -march=arch13 enables GCC and LLVM z15 instruction set exploitation ● New bit operations ● 2 way conditional register moves (select) ● Vector byte and element swaps

– -mtune=arch13 for z15 specific instruction scheduling ● No new instructions used (does not require a z15 to run)

– Alias -march/-mtune=z15 available in GCC 9.3 and LLVM 10.0.0 or later

● GNU C Library Support – Hardware capability flags indicate z15 facilities – New instruction MVCRL (move right to left), provides 1.5x speedup for memmove when used for array insert operations – New instruction Vector Substring Search, providing 2.5x speedup for strstr and memmem functions – Included in glibc 2.30 – RHEL 8.1, SLES 12 SP5, SLES 15 SP2, Ubuntu 19.10, or later

● GNU Debugger GDB – z15 instruction set support for record and replay (reverse debugging) ● Upstream in GDB 9.1 ● Available via TCM 2019 for SLES, Ubuntu 20.04

● Valgrind - Memory Debugger – Full instruction set translation to and from intermediate language required. – z13 support available with RHEL 8.0, SLES 12 SP5, SLES 15 SP1, Ubuntu 19.04

● Perf – Performance Profiling – Includes support for IBM Z hardware sampling and counter facilities – z15 support available with RHEL8.0 RHEL7 SLES15 SLES12 Ubuntu19 Activation profile settings for per HW IBM Z / © 2019 IBM Corporation 29 sampling support Algebra Libraries with IBM Z Vector Support

● Algebra libraries serve as back-ends for various math frameworks like Numpy, R, and Octave. – OpenBlas 20.10 LPAR z/VM KVM

● z13 double precision support (dgemm) upstream since 0.2.20 → RHEL 7/8, Sles 12/15, Ubuntu 18.04

● z14 single precision support (sgemm) upstream in 0.3.10 → future distros

– libAtlas 19.10 8.3 LPAR z/VM KVM

● z13 and z14 support in Ubuntu 19.10

Note: OpenBlas and libAtlas implement the standard blas library interface and can be used interchangeably.

● Eigen LPAR z/VM KVM – CPU compute back-end for Tensorflow – Source-only package: Recent versions will be pulled in during build – IBM z13 full support since 3.3.0 – IBM z14 support upstream since 2017 will be part of upcoming release – z15 alignment hints added by compiler

Container Tools Availability Package versions . Red Hat docker podman . Docker is available and supported in RHEL 7.6 1.13 1.4.4  Ubuntu 16.04 and later RHEL 7.7 1.13 1.4.4  RHEL 7.5 - 7.7 via extras repository RHEL 8 - 1.0.5  SLES 15 – SLES 15 SP1 RHEL 8.2 - 1.6.4 RHEL 8.3 - 2.0.5 . Podman is available and supported in docker podman  RHEL 7.5 and later . SUSE SLES15 17.09 -  SLES15 SP1 SLES15 SP1 18.09.1 1.0.1 SLES15 SP1 19.03.5 1.8.0 . Docker is available as community edition docker podman  Ubuntu 16.04 and later . Ubuntu  Fedora 28 and later 16.04 LTS 18.09.7 -  Binaries at docker.com 18.04 LTS 18.09.7 - 20.04 LTS 19.03.8 - IBM Z / © 2019 IBM Corporation 32 32 Kata Containers – The Speed of Containers, the Security of VMs

• Run containers inside a virtual machine to improve isolation • Released end of December 2017, IBM Z support at the end of 2018 • Licensed under Apache 2.0 license • Support for main container engines: Docker, cri-containerd, cri-o and Podman • Support for Kubernetes • Available via Snap

kubernetes kubernetes • No modifications of existing tools • Used in parallel to standard containers container engine container engine container runtime: runc container runtime: kata

{ Namespace Namespace KVM KVM "runtimes": { "kata": { container container container "path": "/usr/bin/kata-runtime", container container container } } guest kernel guest kernel /etc/docker/daemon.json Host kernel Host kernel

• RHEL ● SLES ● Docker ● Requires registration # subscription-manager repos \ # SUSEConnect -p sle-module- \ -enable=rhel-7-server-extras-rpms containers//s390x # yum install docker # zypper refresh

# systemctl start docker.service ● # systemctl enable docker.service Docker # zypper install docker ● Podman # systemctl start docker.service # yum install podman # systemctl enable docker.service ● Podman • Ubuntu # zypper install podman ● Docker # apt install docker.io ● Kata # apt-get install -y snapd snapcraft # snap install kata-containers --classic

Container image registries: https://hub.docker.com https://quay.io https://gcr.io

Available container images: • Ubuntu, Alpine, Fedora, Debian, ClefOS • Golang, Python, Java, Perl, Ruby, PHP, Node.js, etc • IBM DB2, PostgreSQL, Redis, HAProxy, Apache Tomcat, MongoDB, Apache HTTP Server, GCC, etc

Docker 18.09+ Buildah 1.12.0+

docker buildx (experimental) buildah manifest

# docker buildx create --use --name # buildah bud –t . # docker buildx build --platform # buildah manifest create linux/amd64,linux/s390x --push -t . # buildah manifest add # docker buildx imagetools inspect # buildah manifest push # docker buildx stop # buildah manifest push –all # docker buildx rm # buildah manifest inspect # buildah rmi

See See • https://docs.docker.com/buildx/working-with-buildx/#build-multi- • https://buildah.io/releases/2020/01/14/Buildah-version-v1.12.0.html platform-images • https://devconfcz2020a.sched.com/event/YOqb/building-multi-arch- • https://github.com/docker/buildx container-images-with-buildah

Community editions • Docker Swarm (from docker-ce) See https://docs.docker.com/engine/swarm/swarm-tutorial/create-swarm/ • Kubernetes ● Binaries released by the Kubernetes community See https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/ https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/ ● Ubuntu Kubernetes Distro See https://ubuntu-on-big-iron.blogspot.com/2019/08/deploy-cdk-on-ubuntu-s390x.html

Enterprise products • Openshift Container Platform (OCP) 4.5 See https://docs.openshift.com/container-platform/4.5/installing/installing_ibm_z/installing-ibm-z.html • Ubuntu Kubernetes Distro (Charmed Kubernetes) See https://ubuntu-on-big-iron.blogspot.com/2019/08/deploy-cdk-on-ubuntu-s390x.html

RHOCP Cluster OCP 4.6 Release • In lockstep with other platforms RHOCP RHOCP RHOCP RHOCP RHOCP • Minimum configuration: Control Control Control Compute Compute • z/VM hypervisor Plane Plane Plane Node Node • OCP cluster nodes run in z/VM guests CoreOS CoreOS CoreOS CoreOS CoreOS • LPAR/KVM support subject to future releases Hypervisor • Try for yourself: LPAR 1 • https://try.openshift.com/ • https://docs.openshift.com/container-platform/4.6/installing/installing_ibm_z/installing-ibm-z.html

IBM Z / © 2019 IBM Corporation 39 KVM on IBM Z Package versions* KVM Availability . Red Hat kernel QEMU Libvirt . KVM is available and supported in RHEL 7.5-alt 4.14 2.10 3.9 RHEL 7.6-alt 4.14 2.12 4.5 – SLES12 SP2 and later RHEL 8.2 4.18 2.12 4.5 – RHEL 7.5 via the kernel-alt packages RHEL 8.3 4.18 4.2 6.0 – RHEL 8 kernel QEMU Libvirt – Ubuntu 16.04 and later . SUSE SLES12 SP4 4.12 2.11 4.0 . KVM is available in community distributions SLES12 SP5 4.12 3.1 5.1 – Debian SLES15 SP1 4.12 3.1 5.0 SLES15 SP2 5.3 4.2 6.0 – Fedora – openSUSE . Ubuntu kernel QEMU Libvirt 16.04 LTS 4.4 2.5 1.3.1 18.04 LTS 4.15 2.11 4.0 20.04 LTS 5.4 4.2 6.0

. RHEL # yum install qemu-kvm libvirt virt-install virt-manager Do a modprobe kvm (once)

. SLES # zypper install qemu-kvm libvirt virt-install virt-manager

. Ubuntu # apt install qemu-kvm libvirt-daemon libvirt-clients virt-manager

● Miscellaneous instructions – New helper and general purpose instructions

● New Vector Instructions (aka SIMD Extensions) – improve decimal calculations as well as for implementing high performance variants of certain cryptographic operations

● Deflate Conversion – Provide acceleration for zlib compression and decompression

● CPACF Updates – New Message Security Assist MSA9, providing elliptic curve cryptography, supporting message authentication, the generation of elliptic curve keys, and scalar multiplication – No host support required

● Secure Execution – Allows users to run their Linux workloads with maximum privacy by protecting system memory. Even the system administrator can’t access customer data!

12 15 8.1 18.04 SP5 SP1

hvm [...]

● z15 support provided by new model gen15a, enabling all z15 features per default

● Choose among the following CPU models: Mode Feature Set Migration Syntax Safe Pre-defined Static gen15a Host model Maximum (recommended) (based on current host) Host passthrough Maximum

Blogs

● Very latest news from the development team

– KVM on Z: http://kvmonz.blogspot.com/

– Linux on Z & containers: http://linux-on-z.blogspot.com/

● Focus primarily on upstream submissions, which will end up in Linux distributions later

● Also features in-depth articles on specific topics

● Provided by Linux on Z development team

Documentation ● Linux on Z and LinuxONE Knowledgecenter https://www.ibm.com/support/knowledgecenter/linuxonibm/liaaf/lnz_r_main.html

● Videos explainers https://www.ibm.com/support/knowledgecenter/linuxonibm/liaaf/lnz_r_videos.html

Webcasts ● In-depth sessions right from the Linux on Z development team ● Recordings available http://ibm.biz/Linux-on-IBMZ-LinuxONE-Webcasts

Blogs ● Primary places for news and updates – Linux on Z, including containers: http://linux-on-z.blogspot.com/ – KVM on Z: http://kvmonz.blogspot.com/

● Supported distributions

x.y 12 for SUSE SLES Service Pack , e.g. SP3 for SLES12 SP3

x.y for RHEL Update , e.g. 7.4 for RHEL7.4

x.y for Ubuntu x.y, e.g. 16.04 for Ubuntu 16.04 LTS

● Suppored environments

LPAR usable for systems running in LPAR mode

z/VM usable for guests running on z/VM

KVM usable for guests running on KVM